By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

InvalidSignatureException while Invoking a Lambda via API Gateway

0

Why do I receive this error and what are the possible solutions:

{ "level": 50, "time": 1698215566274, "pid": 8, "hostname": "169.254.178.13", "name": "InvalidSignatureException", "$fault": "client", "$metadata": { "httpStatusCode": 400, "requestId": "6ef2e952-9bf4-41d7-89d7-c871f9aa7c8d", "attempts": 1, "totalRetryDelay": 0 }, "__type": "InvalidSignatureException", **** "message": "Signature expired: 20231025T062005Z is now earlier than 20231025T062017Z (20231025T062517Z - 5 min.)",**** "stack": "InvalidSignatureException: Signature expired: 20231025T062005Z is now earlier than 20231025T062017Z (20231025T062517Z - 5 min.)\n at throwDefaultError (/var/runtime/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:8:22)\n at /var/runtime/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:18:39\n at de_GetSecretValueCommandError (/var/runtime/node_modules/@aws-sdk/client-secrets-manager/dist-cjs/protocols/Aws_json1_1.js:507:20)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async /var/runtime/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24\n at async /var/runtime/node_modules/@aws-sdk/middleware-signing/dist-cjs/awsAuthMiddleware.js:14:20\n at async /var/runtime/node_modules/@aws-sdk/middleware-retry/dist-cjs/retryMiddleware.js:27:46\n at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:7:26\n at async getAwsSecret (/var/task/index.js:72085:33)\n at async getAuroraConnector (/var/task/index.js:72046:25)", "type": "Error", "msg": "Error handling request" }

Topics
ServerlessComputeFront-End Web & MobileNetworking & Content Delivery
Tags
AWS LambdaAmazon API GatewayAWS Serverless Application Model (SAM)
Language
English
Kim Van Rompay
asked 6 months ago666 views
2 Answers
0

Hi,

You get this error code because the client rest request reaching your API gateway is not properly signed: it must match SigV4 protocol.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

You may also want to give at look at https://github.com/aws-samples/sigv4a-signing-examples to see how to properly sign you requests from different languages.

In your specific case, the error message indicates that the request was signed too long ( > 5 min) before reaching the API gateway. See on page above: Protect against potential replay attacks: In most cases, a request must reach AWS within five minutes of the time stamp in the request. Otherwise, AWS denies the request.

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 6 months ago
profile picture
EXPERT
Sedat Salman
reviewed 6 months ago
0

Thank you Didier,

First of all, thank you for your answer.

Weirdly so we can evade this problem by deploying with another Jenkins agent. Is this coincidence or also related?

Kim Van Rompay
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content